PT-2026-44426 · Casdoor · Casdoor

David Lie

+4

·

Published

2026-05-28

·

Updated

2026-07-07

·

CVE-2026-9097

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Casdoor versions prior to 2.362.1
Description Casdoor fails to verify if a JSON Web Token (JWT) used for token exchange remains active. The GetTokenExchangeToken() function in object/token oauth.go validates the JWT signature and parses its claims but does not query the Token table to check if the subject token has been revoked or invalidated. This absence of a revocation check prevents administrators from terminating active sessions or revoking compromised tokens.
Recommendations Update to a version later than 2.362.0.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9097
GHSA-339W-3HQM-9PJC
GO-2026-5892

Affected Products

Casdoor